Ever wrestled with one of those thorny problems for weeks only to wake up in the middle of the night with the answer? Thus was born Travelin’ Man, a web- based, one-click Asterisk® application that automatically reconfigures your Asterisk PBX to enable remote SIP phone access from your cellphone, iPad, remote PC, NetBook, or desktop telephone.

News Flash: Be sure to read our latest article introducing Travelin’ Man 3, a completely new security methodology based upon FQDN Whitelists and DDNS. In a nutshell, you get set-it-and-forget-it convenience and rock-solid VoIP security for your Cloud-based PBX or any PBX in a Flash server that’s lacking a hardware-based firewall and you get both transparent connectivity and security for your mobile or remote workforce.

If you’ve read the Incredible PBX series of articles on Nerd Vittles, you already know what a thorny problem remote phone access is if you want to preserve the overall security of your server. Indeed, our recommendation has been to leave SIP access closed on your hardware-based firewall because of the dangers inherent in activating remote SIP access. Now we have a better idea!

Today’s new approach works like this. First, we’ll run a little script that secures all of your extensions with permit entries locking down all these connections to the IP address range within your private network. Then we’ll open the SIP and RTP ports on your hardware and software firewalls and map these ports to your Asterisk server’s private IP address. With this setup, no one can attempt remote SIP logins to your server because Asterisk blocks all SIP extension connection attempts except those originating inside your LAN. To manage external phone connections to your server, the install script creates a new virtual Apache web server on your Incredible PBX using port 83. We’ll enable and map TCP port 83 on your hardware and software firewalls to your server as well. Web access with port 83 is limited to running the Travelin’ Man app to activate external phones.

Now we’re ready to set up access to your server for remote devices. For each extension you wish to enable for remote access, we’ll create a special web directory using an obscure, random file name which will serve as the web link for the Travelin’ Man web app. For example, in the diagram above, directory 184778 manages extension 501, directory 2389957h manages extension 701, and directory 6993h5j manages extension 702. This is accomplished by simply changing the extension number in the index.php script stored in each directory.

When one of these web links is accessed remotely, the PHP script will automatically reconfigure Asterisk to enable access to the designated SIP extension on your server using the remote IP address from which the web page was accessed. And, of course, there’s an additional layer of SIP security as well. You still need your extension credentials to actually log in to your server with a softphone to place and receive calls. The Travelin’ Man installation process takes only a couple minutes, and the remote SIP activation procedure takes just a couple seconds each time you want remote access from a different location. Here’s a quick example of how it actually works.

Let’s assume we want to use the new $3.95 Bria SIP softphone on an iPad to connect as extension 501 on our Incredible PBX back at home. The problem is that the dynamic IP address of your iPad changes at each new site on your itinerary. Some locations have WiFi while others only have 3G connections.

First, we’ll generate an icon to run Travelin’ Man from your iPad desktop. Use the same procedure with an iPhone or iPod Touch, and there’s a similar procedure for Android devices.1 You only have to do this once. Start up Safari on the iPad to access the new port 83 web server at the random web address the installer created to support extension 501. That web address is something like this using your own FQDN2: http://myserver.dyndns.org:83/184778. After establishing the link once, we’ll hit the + button in Safari and choose Add to Home Screen. This creates the TravelMan icon on the iPad. See the screenshot below of our demo iPad setup which used extension 221 instead of 501.

Once configured, it’s just two clicks to enable your remote phone anywhere: click once on the TravelMan icon. When your IP address is confirmed, return to your Home Screen and click the Bria softphone icon to establish a SIP connection back to your server. Behind the scenes, the Travelin’ Man application will generate the required permit entry for your remote IP address mapping it to the designated extension on your server, and then it will reload your SIP settings to make your Asterisk server accessible to the Bria softphone in your hotel room. The entire process takes only a couple seconds.

If your company happens to have a dozen traveling salesmen, then you’d simply assign a dedicated extension to each employee and create secure directory names for each person (e.g. 2389957h and 6993h5j in diagram above) with a copy of the Travelin’ Man app configured for that employee’s extension number. Now your entire mobile workforce has connectivity back to the home office from any location on the globe. And, when an employee leaves the company and another arrives, just create a new name for the old employee’s web directory to preserve the security of your system (e.g. 184778 in our example becomes 78hd773). Keep in mind that each time the Travelin’ Man app is run for any extension, it wipes out any previously authorized IP address entry for that extension. Thus, the security of your Incredible PBX is always preserved.

Prerequisites. Before proceeding with today’s install, you must be running a stock install of Incredible PBX with PBX in a Flash behind a properly-secured, hardware-based firewall3. We recommend the latest version of Asterisk 1.4 because it addresses a SIP vulnerability that might cause you problems if malformed SIP packets are targeted at your server. The current release of PBX in a Flash (1.7.5.5 Silver) is ideal, but any version of PBX in a Flash can be brought current with Asterisk using the update-source and update-fixes tools. Travelin’ Man assumes that you have the Incredible PBX base install of extensions: 501 plus 701-715. You can obviously add more or remove some, but you’ll need to manually adjust sip_custom_post.conf to reflect your actual extension list after the install completes.

The installer has been encrypted for your/our own protection. In source form, the script would allow anyone to defeat the Incredible PBX requirement. Doing so would mean the required IPtables security component would not be in place and properly configured to protect the underlying system from attack. So we’ve opted to play Big Brother to avoid potential security problems for all of us down the road. This article clearly explains all the necessary components if some folks want to roll their own version. We just don’t want the responsibility if something goes horribly wrong. As Forrest Gump would say, “Shit Happens.” 🙂 If you don’t believe it, check out the latest security scramble in the trixbox forums.

Installation. Now we’re ready to get started. So log into your Incredible PBX as root and issue the following commands:

The first step in the install procedure is to lock down access to all of your extensions to your private LAN subnet. In case you ever want to do this on another server not running the Incredible PBX, here’s a link to our privip.sh shell script that shows how to do it. This should work on most FreePBX-based Asterisk systems.

Once the extensions are locked down, the script will modify your IPtables and Apache configurations to permit web access on port 83. Next, it will adjust your Asterisk setup to support the Travelin’ Man permit scheme. This involves reworking of sip_custom_post.conf so that permit settings for individual extensions can be stored in files named 501.inc, 701.inc, etc. Finally, the installation procedure will set up a single web site to support extension 501 with a randomized directory name for remote access.4 This setup will be stored in /var/www/travelman. To activate support for additional extensions, you would simply copy the subdirectory giving it a new random name: cp -r dir1 dir2. Then edit config.php in the new subdirectory and change the $extension entry.

To complete the install, you must reconfigure your hardware-based firewall and map the following ports to the private IP address of your server:

TCP 83
UDP 5060
UDP 10000-20000

When the installation is completed, it will show you how to access the new web site for extension 501 using either a fully-qualified domain name or a public or private IP address. Now just follow the steps at the beginning of this article to set up your Android or iDevice, and test things out. Enjoy!

Reminders: Be sure to review the comments to this article and the related support forum thread for a week or two for late-breaking enhancements and issues. Also, Incredible PBX comes preconfigured with call forwarding activated for extension 501. Don’t forget to either disable it or set up a real call forwarding number for extension 501 if you want your cellphone to ring. From any extension on your server, just dial *72501 to set up call forwarding. To cancel call forwarding and pass calls directly to the registered 501 softphone, dial *74 and enter 501. Also be aware that the default RingAll ring group (700) configuration on Incredible PBX systems does not include extension 501. So add 501 if you want your remote extension to ring for incoming calls.

Support Issues. With any application as sophisticated as this one, you’re bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It’s the best Asterisk tech support site in the business, and it’s all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won’t have to wait long for an answer to your questions.

whos.amung.us If you’re wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what’s happening. It’s a terrific resource both for us and for you.

Special Thanks to Our Generous Sponsors

FULL DISCLOSURE: 3CX, RentPBX, Amazon, Vitelity, DigitalOcean, Vultr and others provide financial support to Nerd Vittles and our open source projects through advertising or referral revenue. We’ve chosen these providers not the other way around. Our decisions were based upon their corporate reputation and the quality of their offerings and their pricing. Our technology recommendations are reached independently of financial considerations except in situations in which comparable products at comparable pricing are available from multiple sources. In this limited case, we support our sponsors because our sponsors support us.

Awesome Vitelity Special. Vitelity has generously offered a terrific discount for Nerd Vittles readers. You now can get an almost half-price DID from our special Vitelity sign-up link. If you’re seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. When you use our special link to sign up, Nerd Vittles gets a few shekels down the road to support our open source development efforts while you get an incredible signup deal as well. The going rate for Vitelity’s DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For our users, here’s a deal you can’t (and shouldn’t) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls and four simultaneous channels for just $3.99 a month. To check availability of local numbers and tiers of service from Vitelity, click here. NOTE: You can only use the Nerd Vittles sign-up link to order your DIDs, or you won’t get the special pricing! Vitelity’s rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage. Any balance is refundable if you decide to discontinue service with Vitelity.

To create a desktop icon for Travelin’ Man on Android devices, navigate to the link with your browser. Then save the link as a Bookmark by clicking the Star icon in your browser then click Add. Return to the Home Screen and, from the screen on which you wish to add the icon, touch and hold your finger on the screen. When the Add to Home Screen menu appears, choose Shortcuts then Bookmarks and select the link you previously saved. As with iDevices, you only have to do this once. [↩]

This article has 18 comments

This is great, and I will be setting it up this afternoon. Do you use robots.txt file to make sure that the directories don’t get indexed by search engines?

I think it would be nice if the user had to authenticate with a password, when visiting the URL, for an extra level of security.

WM: Directories won’t get indexed because there is no link to the subdirectories, but robots.txt is now included anyway. If you want password authentication for the directories, issue the script commands below which will honor all existing passwords on your system as well as any new ones you create using this command:

Okay, I’m sorry to be stupid, but does fail2ban also work on iax2 and sip connections?

I was lead to believe it did by this article. And a quote from the article that says:

“Just recently, we’ve added the latest release of Fail2Ban to all PBX in a Flash systems using our software update service. Fail2Ban blocks SIP and IAX attacks which are becoming more and more prevalent by locking IP addresses out of your server for a specified period of time whenever a designated number of invalid passwords are submitted.”

… saying its from NerdUno himself. Can you clear this up???

[WM: Yep. Fail2Ban is there. Problem is that it reads your logs to work its magic. And with some high-speed computer attacks (e.g. Amazon S3), there can be thousands of attempts on your system before your poor little machine ever gets a sufficient processor time slice to read its log. In short, Fail2Ban is not real-time while Asterisk permit restrictions are. So permit restrictions are one more arrow for your security quiver if you choose to allow SIP or IAX connections to your system.]

Just wanted to say thanks for doing this. I finally did get it working. Running iPhone4 and the Bria for iPhone client. Initially had no audio. got a D-Link and that seemed to fix it (per Ward’s recommendation) Thank you very much.

Should Google Voice integration work on the Bronze load? It does not work for me, but it works fine on the Silver load.

[WM: Bronze is Asterisk 1.6. If you’re using Incredible PBX and chose the Asterisk 1.6 option, you should be fine. If you manually installed Google Voice, then you’ll need to change the piping | characters to commas in extensions_custom.conf and restart Asterisk. 64-bit shouldn’t matter.]

For setting-up the softphone on iphone, what password do i have to use? i followed the instructions and i have everythng sets, however i am unable to connect remotely using my iphone with acrobits or mixphone softphone. it works fine when connected locally but no luck on remotely using my at&t data plan.

example:
username: 701
password: ?
server: my server’s ipaddress

[WM: Use your password for extension 701. It’s stored in FreePBX in the secret field for that extension.]

I have been using the incredible pbx 3.0. Absolutly love it. I finally got the Travelin’ Man to work remotely on a 3G iPhone with fqdn.dyndns.org:83/33333. I have read all the postings regarding how to add another extension to my network. I went in to config Edit 501 has my iPhone IP now extension 701 i entered the other ip of that phone. My problem is how do i get the 2 nd iphone to add the travelin man application with extension 701. I am assuming it’s fqdn.dyndns.org:81/with a new random 5 digits. I have been trying to do this for 1 month and i don’t get it. i thought once you went in to configEdit and edit extension 701 it will generate the 5 digits. I would greatly aprreciate any help.

[WM: Huh? Where have you been? We’ve supported VPNs as far back as the Hamachi days. Currently we recommend NeoRouter and PPTP VPNs as the easiest to set up. But OpenVPN has been documented as well for years. We also have a stand-alone VPN in a Flash server that can be installed from any of the PIAF2 ISOs. And Incredible PBX includes turnkey NeoRouter and PPTP VPNs out of the box. Finally, Incredible PBX for Raspberry Pi supports NeoRouter and PPTP VPNs as well. Either can be configured in less than 5 minutes.]